AIO Glossary Flashcards

1
Q

A tool that sites between client systems and the back end services they call via API rwquests in order to serve as a reverse proxy for security and performance capabilities

A

API Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A set of functions, routines, tools or protocols for building applications. An API allows for interaction between systems and applications that can be leveeraged by developers as building blocks for their applications and data access through a common method, without custom coding for each integration

A

Application Programming Interface (API)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An estimated number of the times a threat will successfully exploit a given vulnerability over the couse of a single year

A

Annualized Rate of Occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A threat modeling approach composed of Architecture, Threats, Attack Surfaces and Mitigations

A

ATASM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The ability to properly capture, analyze and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance and regulatory and contractual compliance

A

Auditability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The process of evaluating credentials presented by a user, application or service to prove its identity as compared to values already known and verified by the authentication system

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The process of granting or denying access to a system, network or application after successful authentication has been performed, based on approved criteria set by regulation

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Part of the change management process, which establishes an agreed upon standard configuration and the attributes that comprise it and forms the basis for managing change from that point forward

A

Baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A heavily fortified system that serves as a jumpbox or proxy between an untrsuted network and trusted networks

A

Bastion Host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or a disruption of service

A

Business Continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A process designed to identify risks, threats and vulnerabilities that could disrupt or impact services, with the intent of determining mitigation stratgies and response processes should they occur

A

Business Continuity Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A developed and tested document, containing information from stakeholders and staff, for the continuation of operations and services in the event of a disruption or incident

A

Business Continuity Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or liklely extent of impact and disruption

A

Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The formal documentiation showing the chronological control and disposition of data or evidence, either physical or electronic. This documentation includes creation, all changes of possession and final disposition.

A

Chain of Custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Federation

A

A group of IT service providers that interoperate based on an agreed upon set of standards and operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An individual with a role in the change management process who ensures the overall change process is properly executed. This person also directly handles low levels tasks related to the change process

A

Change Manage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A software tool or service that sits between cloud resources and the clients or systems accessing them. It serves as a gateway that can perform a variety of security and policy enforcement functions. A CASB typically can consolidate and perform the functions of firewalls and web applications firewalls as well as provide authentication and data loss prevention capabilities

A

Cloud Access Security Broker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionalty of a local application with the accessibility of a web based application

A

Cloud Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cloud Application Management for Platforms (CAMP)

A

Within a PaaS implementation, CAMP servers as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise the platform, and the language describing the overall platform, its components and services and the metadata about it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An audit that is specifically responsible for conducting audits of cloud systems and cloud applications. The cloud auditor is responsible for assessing the effectiveness of cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used

A

Cloud Auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The process of using a cloud based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center

A

Cloud backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A public or private cloud services organization that offers backup services to either the public or organizational clients, either on a free basis or using various costing models based on either the amount of data or number of systems

A

Cloud Backup Service Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Services that run within a public or private cloud offering backup solutions, either through client based software that does automatic or scheduled backups or through manual backups initiated by a user or system

A

Cloud Backup Solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider

A

Cloud Computing Reseller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A formally published guide by the Cloud Security Alliance that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture, The CCM also allows a cloud provider to structure its security approach

A

Cloud Controls Matrix (CCM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An organization or individual that utilzies and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and gee based applications or solutions

A

Cloud Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The ability to move data between cloud providers

A

Cloud Data Portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application. Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability and high availability can be achieved and maximized

A

Cloud Database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A partner that serves as an intermediary between a cloud service customer and a cloud service provider

A

Cloud Service Broker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A group of cloud services with a common set of features or qualities

A

Cloud Service Categoriy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

On that holds a relation with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery

A

Cloud Service Partner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Common Criteria

A

A set of international guidelines and specifications for the evaluation of IT security resources to ensure that they meet an agreed upon set of security standards, specifically focused on government computing and security needs and requirements. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of these and it may exist on or off premises

A

Community Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

CaaS allows for the execution of compute intensive workloads to be performed in the cloud. Code can be executed in a serverless environment where the customer only pays for the computing time and cycles they consume, without the need for setting up server instances or environments.

A

Compute as a Service (CaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Confidential computing is a paradigm that isolates the processing of data within protected CPU segments that are completely isolated from other users and systems

A

Confidential Computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Establishing a controlled means of consistency throughout a systems lifecycle, based on its requirements and technical specifications, to properly ensure configuration controls, performance standards and design requirements

A

Configuration Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A software package that contains all of the code, configuration, and libraries needed for an application to operate, packaged inside a single unit

A

Container

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The process of taking logs from many different systems and putting them together based on a commonality in order to fully track a session or transaction

A

Correlation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A very common type of security vulnerability found with web applications, where an attacker can inject client side scripts into web pages that are then viewed and executed by other users.; The goal of XSS from an attackers perspective is to bypass the security controls of an application, such as an access control with a same origin policy

A

Cross Site Scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Data that resides on a system in persistent storage, such as disks, tapes, databases or any other type of storage device

A

Data at Rest (DAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service provured by the cloud customer

A

Data Dispersion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Serverless, managed data processing service offered by a cloud provider for the execution of data pipelines

A

Data Flow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Data that flows over a networked connection, either through public unsecured networks or internal protected corporate networks

A

Data in Transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Data within a system or application that is currently being processed or is in use, either through the computing resources or residing in memory

A

Data in Use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of network or systems that are secured and protected. This can be related to the intentional attempt by user to transfer such information, but it also applies to preventing the accidental sending or leakage of data

A

Data Loss Prevention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

The ability to easily move data from one system to another without having to re-enter it

A

Data Portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

A suite of tools used to monitor database operations and functions in real time in order to detect security concerns or anomalies

A

Database Activity Monitoring (DAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

A subscription service where the database is installed, configured, secured and maintained by the cloud provider, the the cloud customer on responsible for loading their schema and data

A

Database as a Service (DBaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

A cloud based equivalent of a traditional virtual desktop interface (VDI) that is hosted and managed by a cloud provider rather than on hardware owned by the customer

A

Desktop as a Service (DaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Combines software development with IT operations, with a goal of shortening the software development time and providing optimal uptime and quality of service

A

DevOps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Short for development, security and operations. The process of integrating security at all levels and stages of development and operations to fully ensure best practices and a focus on security

A

DevSecOps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Information that specifically applies to a unique individual such as name, address, phone number, email address, or unique identifying numbers of codes

A

Direct Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

A utility from VMware that balances computing demands and available resources within the virtualized environment

A

Distributed Resource Scheduler (DRS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The testing of an application while it is in an operational state with currently running systems, applications and networks

A

Dynamic Application Security Testing (DAST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization

A

Dynamic Optimization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

A computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible

A

Edge Computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

The process for a criminal or civil legal case where electronic data is determined, located and secured to be used as evidence

A

eDiscovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials or keys can access it

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

An application that runs on a large and distributed scale and is deemed mission critical to a company or organization

A

Enterprise Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A cloud based backup and recovery service that is related to and similar to those offered for personal use, but scaled and focsed on large scale and organizational level services

A

Enterprise Cloud Backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Temporary, unstructured storage that is only used for a node or service while it is active and in use and the is destroyed upon being shut down or deleted

A

Ephemeral Storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

An action or situation that is recognized by software that then causes some action or response by the software to be taken

A

Event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q
A
64
Q

A security standard published by the US federal government that pertains to the accreditation of cryptographic modules

A

FIPS 140-2

65
Q

The use of a location technology such as WiFi, cellular networks, RFID tags, IP address locations or GPS to control access or behavior of devices

A

Geofencing

66
Q

A physical device, typically a plugin card or an external device, that attaches to a physical computer. It is used to perform encryption and decryption of digital signatures, authentication operations and other services where cryptography is necessary

A

Hardware security modules (HSM)

67
Q

Taking data of an arbitrary type, length or size and using a mathematical function to map the data to a value that is of a fixed size. Hashing can be applied to virtually any type of data object, text strings, documents, images, binary data and even virtual machine images

A

Hashing

68
Q

The HITECH Act of 2009 provided incentives for health care providers to expand their use of tech, including the widespread adoption of electronic health record systems

A

Health Information technology for economic and clinical health act

69
Q

The Health Insurance Portability and Accountability Act of 1996 requires the US department of health and human services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than specific technologies used, so long as they meet the requirements of the regulations

A

Health Insurance Portability and Accountability Act (HIPAA)

70
Q

A hosted based intrusion detection system monitors the internal resources of a system for malicious attempts. It can also be used for packet inspection and network monitoring

A

Host Based Intrusion detection system

71
Q

A cloud infrastructure composed of two or more distinct cloud infrastructure that remain unique entities but are bonded together by standardized or proprietary technology that enables data and application portability

A

hybrid cloud

72
Q

A virtual machine manager that allows and ebales multiple virtual hosts to reside on the same physical host

A

Hypervisor

73
Q

A subscription based service for Identity and Access Management and single sign on that is offered over the Internet versus deployed by the customer

A

Identity as a Service (IDaaS)

74
Q

A system responsible for determining the authenticity of a user or system, thus providing assurance to a service that the identity is valid and known and possibly providing additional info about the identity of the user or system to the service provider requesting it

A

Identity Provider (IdP)

75
Q

An event that could potentially cause a disruption to an organizations systems, services or applications

A

Incident

76
Q

Pieces of information about an entity that cannot be used individually to identify that entity uniquely but can be used in combination to potentially do so. Examples include place of birth, race, employment history and educational history

A

Indirect Identifiers

77
Q

A subset of digitial rights management that is focused on protecting sensitive information from unauthorized exposure or use

A

INformation Rights Management (IRM)

78
Q

The capability provided to a consumer to provision processing, storage, networks and other fundamental computing resources in order to deploy and run arbitrary software, including OS and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OS< storage and deployed applications and possibly limited control of select networking components such as host firewalls

A

Infrastructure as a Service (IaaS)

79
Q

A way of managing and provisioning infrastructure components through definition files, versus the traditional way of using configuration tools. Typically, admins maintain definition files that contain all the options and settings needed to deploy virtual machines or other pieces of a virtual infrastructure

A

Infrastructure as Code (IaC)

80
Q

A method for monitoring an application while it is running and has processes interacting with it, continually scanning for any security vulnerabilities.

A

Interactive Application Security Testing (IAST)

81
Q

The ease and ability to reuse components of a system or application regardless of the underlying system design and provider

A

Interoperability

82
Q

A device, appliance, or software implementation that monitors servers, systems or networks for malicious activities

A

Intrusion detection system (IDS)

83
Q

A network based appliance or software that examines network traffic for known exploits or any attempts to use exploits, and actively stop them or blocks attempts

A

Intrusion prevention system (IPS)

84
Q

A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance, ISO/IEC 27001:2018 is the latest revision

A

ISO/IEC 27001 and 27001:2018

85
Q

A collection of papers and concepts that lays out a vision for an IT Service Management (ITSM) framework for IT services and user support

A

IT Infrastructure Library (ITIL)

86
Q

The authority to exert regulatory and legal control over a defined area of responsibility. Jurisdictions can overlap between the local, state/province, and national levels

A

Jurisdiction

87
Q

A system or service that manages keys used for encryption within a system or application that is separate from the actual host system. The KMS will typically generate, secure and validate keys

A

Key Management Service (KMS)

88
Q

A metric that provides quantitative value that can be sued to evaluate how effectively key business requirements are being met

A

Key Performance Indicator (KPI)

89
Q

The process of collecting and preserving data as required by an official request from a legal authority

A

Legal Hold

90
Q

A provider of IT services where the technology, software and operations are determined and managed away from the customer or user

A

Managed Service Provider

91
Q

The process of aligning data values and fields with specific definitions or requirements

A

Mapping

92
Q

A measure, typically in hours, of what the average time between failures is for a hardware component in order to determine its reliability

A

Mean Time Between Failures (MTBF)

93
Q

A measure for hardware components of the typical or average time to repair a recover after a failure

A

Mean TIme to Repair (MTTR)

94
Q

A cloud service thats delivered and billed for in a metered way

A

Measured Service

95
Q

Data that gives additional descriptive information about other data. THis can be in the form of structural data that pertains to how the information is stored and represented, or it can be descriptive data that contains information about the actual content of the data

A

Metadata

96
Q

Cloud based storage, typically used for mobile devices such as tablets, phones and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way

A

Mobile Cloud Storage

97
Q

Mobile Device Management

A

MDM is an encompassing term for a suite of policies, technologies and infrastructure that enables an organization to manage and secure mobile devices that are granted access to its data across a homogenous environment. This is typically accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether its owned by the organization or is a private device owned by the user

98
Q

Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources

A

Multitenancy

99
Q

A device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and them compare it against signatures for known vulnerabilities and attacks

A

Network based intrusion detection system

100
Q

Contains a set of rules that can be applied to network resources for the processing and handling of network traffic. The group contains info used to filter traffic based on the direction of traffic flow, source address, destination address, ports of both the source and destination and the protocols being used for transmission

A

Network Security Group

101
Q

Title Security and Privacy Control for Federal Information Systems and Organizations NIST SP 800-53 provides a set of security controls for all systems under the US federal government, with the exception of systems dedicated to national security

A

NIST SP 800-53

102
Q

The ability to confirm the origin or authenticity of data to a high degree of certainty

A

Non repudiation

103
Q

A set of standards for protecting the national power grid and systems, specifically from a cyber security perspective

A

North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC/CIP)

104
Q

A storage method used with IaaS where data elements are managed as objects rather than hierarchically with a file system and directory structure

A

Object Storage

105
Q

The ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider

A

On Demand Self Service

106
Q

An official ITIl term that relates to a specialized service level argeement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider

A

Operational Level Agreement (OLA)

107
Q

The automation of tasks within a public or private cloud that manages administration, workloads, and operations within the environment

A

Orchestration

108
Q

The process of securely removing data from a system by writing blocks of randmo or opaque data on storage media to destory any previous data and make it unrecoverable

A

Overwriting

109
Q

Process for Attack Simulation and Threat Analysis is a seven step method that is platform agnostic and combines business objectives, technical requirements and compliance for threat management

A

PASTA

110
Q

An industry regulation that applies to organizations that handle credit card transactions. Rather than being a legal regulation passed by government authorities, it is enforced and administered by the credit card industry itself. The regulations are designed to enforce security best practices to reduce credit card fraud

A

Payment Card Industry Data Security Standard

111
Q

The capability provided to the customer to deploy onto the cloud infrastructure any consumer created or acquired applications written using programming languages, libraries, services and tools supported by the provider. The customer does not manage or control the underlying infrastructure, including the network, servers, OS, and storage, but does have control over the deployed applications and possibly configuration settings for the application hosting environment

A

Platform as a Service

112
Q

The ability of a system or application to seamlessly and easily move between different cloud providers

A

Portability

113
Q

A specific type of analysis conducted by an organization that stores or processes sensitive and private data. The organization will evaluate its iternal processes for development and operations with an eye toward the protection of personal data throughout the entire lifetime of its possession and use

A

Privacy Impact Assessment (PIA)

114
Q

A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts

A

Privacy Level Agreement (PLA)

115
Q

A cloud infrastructure provisioned for exclusive use by a single organization composed of multiple consumers. It may be owned, managed and operated by the organization, a third party, or some combination thereof, and it may exist on or off premises

A

Private Cloud

116
Q

A special designation of data under United States law that encompasses any health related data that can be tied to an individual, including health status, healthcare services sought or provided, or any payment related to healthcare

A

Protected Health Information (PHI)

117
Q

A cloud infrastructure provisioned for open use by the general public. It may be owned, managed and operated by a business, academic organization, or governmental organization, or some combination of both. It exists on the premises of the cloud provider

A

Public Cloud

118
Q

Quantum computing involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation

A

Quantum Computing

119
Q

A point of time in the past that an organization is willing to revert to in order to restore lost data or services following an interruption

A

Recovery Point Objective (RPO)

120
Q

A defined maximum time duration for which an organization can accept the loss of data or services following an interruption

A

Recovery Time Objective (RTO)

121
Q

A system or application that provides access to secure data through the use of an identity provider

A

Relying Party

122
Q

A system for designing and implementing networked applications by utilizing a stateless, cacheable, client/server protocol, almost always via HTTP

A

Representational State Transfer (REST)

123
Q

A key component of the change management process that involves a formal documented change request, including what change is needed, why it is needed, the urgency of the change and the impact if the change is not made

A

Request for Change (RFC)

124
Q

The aggregation and allocation of resources from the cloud provider to serve the cloud customers

A

Resource Pooling

125
Q

The ability of a cloud customer to recovery all data and applications from a cloud provider and completely remove all data from the cloud providers environment

A

Reversibility

126
Q

Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time

A

Runtime Application Self Protection (RASP)

127
Q

The segregation and isolation of information or processes from others within the same system or application, typically for security concerns

A

Sandboxing

128
Q

A computing system or application that processes data

A

Service

129
Q

A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements. An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer srrvice and potentially many other requirements

A

Service Level Agreement (SLA)

130
Q

An organization that provides IT services and applications to other organizations in a sourced manner

A

Service Provider (SP)

131
Q

A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider or implementation

A

Service Oriented Architecture (SOA)

132
Q

This is a proven methodology for developing business driven risk and opportunity focused security architectures, at both the enterprise and solutions levels, that traceable support business objectives. It is widely used for information assurance architectures and risk management frameworks as well as to align and seamlessly integrate security and risk management into IT architecture methods and frameworks. SABSA is composed of a series of integrated frameworks, models, methods and processes and can be sued independently or as a holistic, integrated enterprise solution

A

Sherwood Applied Business Security Architecture

133
Q

A messaging protocol that is operating system agnostic and used to communicate with other systems through HTTP and XML

A

Simple Object Access Protocol (SOAP)

134
Q

The monetary value assigned to the occurrence of a single instance of risk or exploit to an IT service, application or system

A

Single Loss Expectancy (SLE)

135
Q

Audit and accounting reports, focused on an organizations controls, that are employed when providing secure services to users

A

SOC 1/SOC 2/SOC 3

136
Q

The capability provided to the customer to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web rbwoser, or a program interface. The consumer does not manage or control the underlying infrastructure, including the network, servers, OS, storage and even individual application capabilities, with the possible exception of limited user specific application settings

A

Software as a Service (SaaS)

137
Q

An automated process that scans a codebase to identify any code that is from an open source package or repo. It is crucial for both security and license compliance

A

Software Composition Analysis (SCA)

138
Q

An approach to separate the network configurations for the control plane and the data plane. This allows an abstraction for network admins to configure and control those aspects of the network important to modern systems and applications without having to get involved with the actual mechanisms for forwarding network traffic

A

Software Defined Networking

139
Q

A defined period of time for development to be accomplished with running list of deliverables that are planned one sprint in advance

A

Sprint

140
Q

A method used by malicious actors to insert SQL Statements into a data driven application in various input fields, attempting to get the application to access arbitrary code and return the results to the attacker. This could include attmpets to access a full database or the protected data within it or to modify or delete data

A

SQL Injection

141
Q

Security testing of applications by analyzing their source code, binaries and configurations. This is done by tested who have an in depth knowledge of systems and applications, with the testing performed in a nonruninng state

A

Static Application Security Testing

142
Q

One or more cloud customers who share access to a pool of resources

A

Tenant

143
Q

An open enterprise architecture model intended to be a high level approach that design teams can use to optimize success, efficiency and returns throughout a systems lifecycle

A

The Open Group Architecture Framework

144
Q

The process of replacing and substituting secured or sensitive data in a data set with an abstract or opaque value that has no use outside of the application

A

Tokenization

145
Q

An evaluation of the content of data packets flowing into and in some cases, out of a network

A

Traffic Inspection

146
Q

A program or application used to trick a user or administrator into executing an attack by disguising its true intention

A

Trojan

147
Q

The security concept of separating systems and data into different levels (or zones) and applying security methods and practices to each zone, based on the requirements of that particular group of systems. In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa

A

Trust Zone

148
Q

The optimization of a cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or by a particular industry sector or need

A

Vertical Cloud Computing

149
Q

A computing environment that is a software implantation running on a host system, versus a physical hardware environment

A

Virtual Host or Virtual Machine

150
Q

A VPN facilitates the extension of a private network over public networks, and it enables a device to operate as if it were on the private network directly. A VPN works by enabling an encrypted point to point connection from a device into a private network, typically through software applications, but this also can be done via hardware accelerators

A

Virtual Private Network

151
Q

A type of rootkit installed in a virtualized environment between the underlying host system and the virtual machine. It is then executed and used when the virtual machine is started. A VM based rootkit is very difficult to detect in an environment, but its also very difficult to successfully implement

A

VM based rootkit

152
Q

A more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine. It would be used just like a traditional hard drive, with file system, folders, and file organization methods

A

Volume Storage

153
Q

A traditional development methodology where projects are divided into phases that must be fully developed, tested, approved, and implemeted before moving onte the next phase

A

Waterfall

154
Q

An appliance of software plug in that parses and filters HTTP traffic from a browser or client and then applies a set of rules before the traffic is allowed to proceed to the actual application server

A

Web Application Firewall (WAF)

155
Q

A web based application that provides tools, reporting and visibility for a user into multiple systems. In a cloud environment, a web portal provides metrics and service capabilities to add or expand for the customer to consume

A

Web Portal

156
Q

An appliance implemented within a network to secure and manage XML traffic. it is particularly used within a cloud environment to help integrate cloud based systems with those still residing in traiditonal data centers

A

XML appliance